The cause of Cookie

HTTP is a stateless protocol, which means that each HTTP request cannot carry any information about the previous request, so the server has no memory of the client who sent the request. The client will have to do a lot of things over and over again, like asking for your username and password every time the site asks you. To improve usability and efficiency, cookies act as identity cards and notebooks as carriers and recorders of information.

Mechanism of action

  1. The client sends the request
  2. The server records client information and generates cookies
  3. In the response header, i.eresponsetheHeaderaddSet-CookieThe value is generatedcookievalue
  4. The client willcookieSave locally and in the next requestHeaderBring inCookieProperty with a value ofcookieThe value of the

How are cookies stored locally

1. Location and content of local files

Different browsers have different storage mechanisms. The following uses Chrome as an example

The cookie is stored as a database file in C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default

This file is a Sqlite database file, opened with SqLiteStudio, its table structure is as follows:

2. View cookies on a website

Use SQL statements to filter cookies under a website. Each value corresponding to name is stored in encrypted form, and the field is encrypted_value

When sending the request, the cookie is:

The value is of the form key=value, where key corresponds to the name field in the table

Encrypted_value encrypts with CryptUnprotectData

Js operating cookie

Use document.cookie for access assignments.

document.cookie = "name=oeschger";
document.cookie = "favorite_food=tripe";
alert(document.cookie);
// Display: name=oeschger; favorite_food=tripe
Copy the code

However, allowing JS to operate on cookies may run the risk of cross-site scripting against XSS. The HttpOnly directive can be set to prevent JS from accessing cookies.

You can use navigator. CookieEnabled to determine whether cookies are enabled on this page

if(! navigator.cookieEnabled) {// The browser does not support cookies, or the user has disabled cookies.
}
Copy the code

The Cookie life cycle

The Cookie lifecycle can be defined in two ways:

  • A session Cookie is the simplest Cookie: it is automatically deleted after the browser is closed, meaning it is only valid for the session. Session cookies do not need to specify an expiration date (Expires) or an expiration date (max-age). Note that some browsers provide session recovery, in which case session cookies are retained even after the browser is closed, as if the browser had never been closed, resulting in Cookie life extending indefinitely.
  • The lifetime of a persistent Cookie depends on an expiration time (Expires) or a period of time specified by a max-age.

Cookie scope

  • Domain properties

Cookies set under the level 1 domain name can be obtained by its sub-domain names, such as:

A.com b.a.com // Cookies under a.com can be obtainedCopy the code

Otherwise, the cookies set by the sub-domain cannot be obtained by the parent domain

  • Path properties

Like the domain name attribute, the cookie child path of the parent path can be matched, whereas the cookie parent path of the multilevel path cannot be matched

security

1. Anti-cross-site scripting (XSS)

Use the HttpOnly attribute to prevent access to cookie values through JavaScript.

2. Anti-cross-site Request Forgery (CSRF)

Cookies for sensitive information (such as indicating authentication) should have a short lifetime and the SameSite property set to Strict or Lax allows the server to set a Cookie not to be sent along with a cross-domain request, thus providing some protection against cross-site request forgery attacks (CSRF)